August saw a dramatic growth in malware targeting the Windows CVE-2010-2568 vulnerability according to Kaspersky Lab, who has just announced the publication of its Monthly Malware Statistics for August 2010.
The vulnerability was first targeted by Worm.Win32.Stuxnet, a network worm which gained notoriety back in late July, and then again by Virus.Win32.Sality.ag, the Trojan-Dropper program that installs the latest variant of the Sality virus. However, Microsoft subsequently patched the vulnerability on 2 August with a ‘critical’ update for all users.
The CVE-2010-2568 vulnerability occurs in Windows LNK and PIF shortcuts and the worms can spread via infected USB devices. Vulnerable computers become infected when users access USB-connected devices. A specifically created shortcut makes the Windows Shell download an external DLL, which then executes any code using the privileges of the user who has launched Explorer.
Three programs associated with the vulnerability appear in Kaspersky Lab’s ranking of malware most frequently blocked on users’ computers. Two of the exploits, known as Exploit.Win32.CVE-2010-2568.d (in 9th place) and Exploit.Win32.CVE-2010-2568.b (in 12th place) directly target the vulnerability, while Trojan-Dropper.Win32.Sality.r (in 17th place) uses this vulnerability for propagation purposes. It generates vulnerable LNK shortcuts with names designed to attract attention and spreads these across local area networks. The malware is launched when a user opens a folder containing one of these shortcuts.
A full version of the August malware ranking from Kaspersky Lab is available at: www.securelist.com.
If you’d like to speak with David Emm, senior regional researcher at Kaspersky Lab UK, about the threats posed by malware and how those targeted can protect themselves, please contact the team at Berkeley PR on 0118 988 2992 or firstname.lastname@example.org.